User: Password:
Subscribe / Log in / New account

dm-crypt comments and general security

dm-crypt comments and general security

Posted Mar 22, 2009 19:20 UTC (Sun) by lemmings (guest, #53618)
Parent article: Tin Hat: secured by running from RAM

Not sure what the factual basis is of the article comment:

"also supports the use of dm-crypt, although, presumably because of
dm-crypt's emphasis on external drives, its use is not recommended for
hard drives."

dm-crypt works on any block device. It can also work on files via the
loopback device.

The project website Quickstart document contains:

"To this end, we prefer Jari Ruusu's loop-aes multikey encryption scheme over others, like dm-crypt, which are more likely to be susceptible to various sophisticated attacks."

If the sophisticated attacks they are referring to are the watermarking
attacks, then this is a problem that has been solved since 2.6.10
through the use of ESSIV.

Overall, it seems like the project goals are pretty misguided. The
onerous task of having to regenerate a new image to (persistently)
update any software is likely to lead to systems running out of date
software which is then more likely to contain vulnerabilities!

They could meet their goal of having zero interpretable data from
a coldboot attack by just putting a kernel & appropriate initrd image
on a USB drive. This would also avoid the usability nightmare of
losing all data/settings on a system crash or having to mount
another device just to save your data.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds